PT-2026-31357 · Npm · Openclaw
Publicado
2026-03-29
·
Atualizado
2026-03-29
CVSS v3.1
4.2
Média
| Vetor | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
Summary
Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Google Chat group authorization previously relied on mutable space display names, which allowed policy rebinding when names changed or collided. Commit
11ea1f67863d88b6cbcb229dd368a45e07094bff requires stable group IDs for access decisions.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit 11ea1f67863d88b6cbcb229dd368a45e07094bff.Fix Commit(s)
11ea1f67863d88b6cbcb229dd368a45e07094bff
Correção
Incorrect Authorization
IDOR
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw